migrate to git.charlotte.sh
This commit is contained in:
Charlotte Croce
commit
fbd588721e
412 changed files with 13750 additions and 0 deletions
80
net-sec-controls-sec350/labs/week03/lab3.1-segmentation-1.md
Normal file
80
net-sec-controls-sec350/labs/week03/lab3.1-segmentation-1.md
Normal file
|
|
@ -0,0 +1,80 @@
|
|||
# Lab 3.1 Segmentation 1
|
||||
In this lab, we are going to segment our network by adding a new firewall and a new network (MGMT). We will retire our log01 server and replace it with a new server on the MGMT network.
|
||||
|
||||
___
|
||||
# if you got this far...you can shutdown log01. this machine is no longer needed
|
||||
- shutdown log01
|
||||
- On web01, remove your rsyslog dropin configuration from `/etc/rsyslog.d` (comment out the `user.notice` and `authpriv.*` lines)
|
||||
- On fw01, remove syslog host setting from configuration: `delete system syslog host 172.16.50.5`
|
||||
___
|
||||
|
||||
|
||||
## configure wks01 (LAN)
|
||||
- IP Address: 172.16.150.50\24
|
||||
- Gateway: 172.16.150.2
|
||||
- DNS: 172.16.150.2
|
||||
|
||||
|
||||
## fw01 - create a rule for NAT from MGMT to WAN
|
||||
```
|
||||
set nat source rule 30 description "NAT FROM MGMT to WAN"
|
||||
set nat source rule 30 outbound-interface eth0
|
||||
set nat source rule 30 source address 172.16.200.0/28
|
||||
set nat source rule 30 translation address masquerade
|
||||
```
|
||||
|
||||
|
||||
## fw-mgmt
|
||||
|
||||
 \
|
||||
Configure your fw-mgmt firewall's hostname with interface descriptions and interface addresses:
|
||||
- eth0: LAN- 172.16.150.3/24
|
||||
- eth1: MGMT- 172.16.200.2/28 (NOTE: MGMT is using a /28!)
|
||||
```
|
||||
set interfaces ethernet eth0 description LAN
|
||||
set interfaces ethernet eth1 description MGMT
|
||||
set interfaces ethernet eth0 address 172.16.150.3/24
|
||||
set interfaces ethernet eth1 address 172.16.200.2/28
|
||||
```
|
||||
|
||||
|
||||
Set the following:
|
||||
- gateway next-hop: `set protocols static route 0.0.0.0/0 next-hop 172.16.150.2`
|
||||
- name server to your fw01’s LAN interface address: `set system name-server 172.16.150.2`
|
||||
- dns forwarding such that requests are allowed from your management subnet and management interface.
|
||||
```
|
||||
set service dns forwarding listen-address 172.16.200.2
|
||||
set service dns forwarding allow-from 172.16.200.0/28
|
||||
set service dns forwarding system
|
||||
```
|
||||
|
||||
## configure mgmt02 (MGMT)
|
||||
- IP Address: 172.16.200.11/28
|
||||
- Gateway: 172.16.200.2
|
||||
- DNS: 172.16.200.2
|
||||
|
||||
|
||||
## RIP on FW1 and FW-MGMT
|
||||
fw01
|
||||
```
|
||||
set protocols rip interface eth2
|
||||
set protocols rip network '172.16.50.0/29'
|
||||
```
|
||||
fw-mgmt
|
||||
```
|
||||
set protocols rip interface eth0
|
||||
set protocols rip network '172.16.200.0/28'
|
||||
```
|
||||
|
||||
|
||||
## configure jump | wazuh-charlotte (MGMT)
|
||||
- IP: 172.16.200.10/28
|
||||
- Gateway: 172.16.200.2
|
||||
- DNS: 172.16.200.2
|
||||
|
||||
### netplan configuration (an alternative to nmtui)
|
||||
/etc/netplan/00-installer-config.yaml is the config file
|
||||
|
||||
|
||||
`sudo netplan apply`
|
||||
`sudo hostnamectl hostname wazuh-charlotte`
|
||||
39
net-sec-controls-sec350/labs/week03/lab3.2-wazuh.md
Normal file
39
net-sec-controls-sec350/labs/week03/lab3.2-wazuh.md
Normal file
|
|
@ -0,0 +1,39 @@
|
|||
# Lab 3.2 - Wazuh
|
||||
In this lab, we are going to experiment with a far more modern logging system called Wazuh. Wazuh is one of several ELK based SIEMs. We are using this one because of the relatively ease of installation as well as functionality. Unlike a traditionally syslog client and server, Wazuh allows us to install agents on supported systems. Agents can refine that information sent to their SIEM for streamlined analysis.
|
||||
|
||||
>[!Warning]
|
||||
>TAKE A SNAPSHOT BEFORE INSTALLATION
|
||||
|
||||
## Installation
|
||||
For a single node installation on wazuh, run the following command.
|
||||
`curl -sO https://packages.wazuh.com/4.7/wazuh-install.sh && sudo bash ./wazuh-install.sh -a -i`
|
||||
(added -i to ignore minimum requirements of 2CPU and 4 GB RAM)
|
||||
|
||||
>[!Note]
|
||||
>Save the auto-generated password, you will need it later
|
||||
|
||||
## Wazuh/OSSEC Agent on web01
|
||||
- Wazuh dropdown > management > groups > create a new group called linux
|
||||
- Wazuh dropdown > agents > Deploy a new agent with the following configuration.
|
||||
- Redhat/CentoS
|
||||
- CentOS 6 or higher (Note, it will work on rocky 8)
|
||||
- x86_64
|
||||
- 172.16.200.10
|
||||
- Linux
|
||||
- run the generated command on web01 to install the agent:
|
||||
```
|
||||
curl -o wazuh-agent-4.7.5-1.x86_64.rpm https://packages.wazuh.com/4.x/yum/wazuh-agent-4.7.5-1.x86_64.rpm && sudo WAZUH_MANAGER='172.16.200.10' WAZUH_AGENT_GROUP='linux' WAZUH_AGENT_NAME='web01-charlotte' rpm -ihv wazuh-agent-4.7.5-1.x86_64.rpm
|
||||
```
|
||||
- if you can't access through a web browser. try going to http://172.16.200.10/app/login. for some reason this worked for me
|
||||
|
||||
|
||||
|
||||
- start the agent
|
||||
```
|
||||
sudo systemctl daemon-reload
|
||||
sudo systemctl enable wazuh-agent
|
||||
sudo systemctl start wazuh-agent
|
||||
```
|
||||
|
||||
## to view security events
|
||||
dropdown > modules > security events
|
||||
Loading…
Add table
Add a link
Reference in a new issue